LOWCVE-2020-36654CVSS 3.5

CVE-2020-36654: XSS in GENI Portal

Q: How do I fix CVE-2020-36654 in GENI Portal?

Apply the patch `39a96fb4b822bd3497442a96135de498d4a81337`. Consider input validation and output encoding as a temporary measure.

Platform

php

Component

geni-portal

AI Confidence: mediumNVDEPSS 0.5%Reviewed: May 2026

View on NVD

Save

CVE-2020-36654 describes a problematic cross-site scripting (XSS) vulnerability discovered in the GENI Portal. This flaw allows attackers to inject malicious scripts through manipulation of the invocationid/invocationuser argument within the portal/www/portal/sliceresource.php file. Affected versions are those prior to the patch identified as 39a96fb4b822bd3497442a96135de498d4a81337. Applying the patch is the recommended solution.

Impact and Attack Scenarios

Successful exploitation of CVE-2020-36654 allows an attacker to inject arbitrary JavaScript code into the GENI Portal web application. This can lead to various malicious outcomes, including session hijacking, defacement of the portal, and redirection of users to phishing sites. The attacker could potentially steal sensitive user data or gain unauthorized access to the system. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the portal.

Exploitation Context

CVE-2020-36654 was published on January 18, 2023. No public proof-of-concept (PoC) code is currently known. The vulnerability's CVSS score is LOW, suggesting a relatively low probability of exploitation in the wild. It is not listed on the CISA KEV catalog at the time of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.49% (66% percentile)

CVSS Vector

Affected Software

Componentgeni-portal

VendorGENI

Affected rangeFixed in

n/a – n/a—

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2023-01-17
Published2023-01-18
Modified2024-08-04
EPSS updated2026-04-02

Unpatched — 1222 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2020-36654 is to apply the provided patch: 39a96fb4b822bd3497442a96135de498d4a81337. If immediate patching is not possible, consider implementing input validation and output encoding on the invocationid and invocationuser parameters to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. After applying the patch, verify the fix by attempting to inject a simple JavaScript payload through the invocationid/invocationuser parameter and confirming that it is properly sanitized.

How to fix

Apply the patch 39a96fb4b822bd3497442a96135de498d4a81337 provided by the vendor to correct the Cross-Site Scripting (XSS) vulnerability in the sliceresource.php file. Alternatively, update GENI Portal to a version that incorporates this fix. Review the affected code to ensure that user input (invocation_id/invocation_user) is properly sanitized to prevent future XSS attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-36654 — XSS in GENI Portal?

CVE-2020-36654 is a cross-site scripting (XSS) vulnerability in GENI Portal that allows attackers to inject malicious scripts via the invocationid/invocationuser parameter.

Am I affected by CVE-2020-36654 in GENI Portal?

You are affected if you are using a version of GENI Portal prior to the patch 39a96fb4b822bd3497442a96135de498d4a81337.

How do I fix CVE-2020-36654 in GENI Portal?

Apply the patch 39a96fb4b822bd3497442a96135de498d4a81337. Consider input validation and output encoding as a temporary measure.

Is CVE-2020-36654 being actively exploited?

There are currently no confirmed reports of active exploitation of CVE-2020-36654.

Where can I find the official GENI Portal advisory for CVE-2020-36654?

Refer to the vulnerability description for the associated VDB identifier (VDB-218475) for more information.